We are trying to connect IdentityIQ8.2P2 with Google cloud API using Webservice Connector.
After generating the RSA private key and adding scope directly to the debug of the application, we are now getting the error:
Exception occurred in Test Connection. Error: Exception occurred while generating access token: Unable to generate access token. Response returned: {“error”:“invalid_grant”,“error_description”:“Invalid grant: account not found”}
What I understand, with the error is not from sailpoint and it is from application where Google OAuth token endpoint is rejecting what you are passing.
Can you please confirm, if the RSA key is shared by the application team , if not ask them to generate the a (Google-generated RSA key) JSON. and post that do a test connection.
The Private Key shared by the google team was not a rsakey and gave a rsa key error during test connection. We converted it to rsakey using openssl command and that resolved the private key error and gave a new error with scope.
So we included the below scope entry key to the application xml:
This was the first exception with rsa key issue. Fixed it with converting the private key using openssl command
Exception occurred in Test Connection. Error: class org.bouncycastle.asn1.pkcs.PrivateKeyInfo cannot be cast to class org.bouncycastle.openssl.PEMKeyPair (org.bouncycastle.asn1.pkcs.PrivateKeyInfo and org.bouncycastle.openssl.PEMKeyPair are in unnamed module of loader org.apache.catalina.loader.ParallelWebappClassLoader @5f233b265f233b26)
This is the exception we are getting now:
Exception occurred in Test Connection. Error: Exception occurred while generating access token: Unable to generate access token. Response returned: {“error”:“invalid_grant”,“error_description”:“Invalid grant: account not found”}
The private key you converted via OpenSSL is not the original Google-generated key tied to the service account. When you convert a key externally, Google has no record of it. The JWT assertion is signed with a key Google cannot validate against any known service account.
Ask the application team to generate a new key directly from the Google Cloud Console:
They need to. go Google Cloud Console → IAM & Admin → Service Accounts->Keys-> Create New Key → JSON.
Please try this, and hopefully your issue will be fixed.
Even with the new generated code from Google cloud console, we were getting the same error as before - org.bouncycastle.asn1.pkcs.PrivateKeyInfo cannot be cast to class org.bouncycastle.openssl.PEMKeyPair.
@prajna_poojari would like to see the private key format that you copy and paste. I have pinged you over chat, please let me know when you have some time.
